4 Background

..there is nothing you have to do to make CORS-enabled cross-origin
requests work, there are a few security details worth understanding.
First, if you pass a username and password to the XMLHttpRequest
open() method, they will never be sent with a cross-origin request
(that would enable distributed password-cracking attempts). In
addition, cross-origin requests do not normally include any other user
credentials either: cookies and HTTP authentication tokens are not
normally sent as part of the request and any cookies received as part
of a cross-origin response are discarded. If your cross-origin request
requires these kinds of credentials to succeed, you must set the
withCredentials property of the XMLHttpRequest to true before you
send() the request.[fn:1]